Transcript SALSA NetAuth

SALSA NetAuth
28-09-04 I2 Fall MM, Austin, TX, USA
[email protected]
[email protected]
Requirements definition
• Enable NREN users to use the Internet (WLAN
and wired) everywhere in Europe with:
– Minimal administrative overhead (per roaming
user)
– Good usability
– Maintaining required security for all partners.
– Scalable!
2
Opportunities
International
connectivity
Institution
A
WLAN
Access
Provider
WLAN
SURFnet
backbone
Institution
B
WLAN
Access
Provider
GPRS
Access
Provider
POTS
Access
Provider
ADSL
3
Web-based with RADIUS
RADIUS based Web interface
authentication at the University
of Tampere
AAA
Server
Access
4. Control Device Internet
3.
5.
1.
Docking Network
The Finnish are scaling their solution by
using a hierarchy of RADIUS proxy
servers for their national infrastructure
2.
WWW-browser
4
VPN
Wbone – VPN
roaming solution
to 4 universities /
colleges in state
of Bremen.
VPN-Gateways
Docking
network
G-WiN
Campus Network
SWITCHmobile –
VPN solution
deployed at 7
universities across
Switzerland.
Intranet X
DHCP, DNS,
free Web
VPN-Gateways
Docking
network
A "virtual campus" initiative in
Lisbon, and been testing and
developing a VPN & PKI
infrastructure.
G-WiN
Campus Network
Intranet X
DHCP, DNS,
free Web
PPPoE –
University of
Bristol
5
Cross-domain 802.1X with VLAN
assignment
Supplicant
Authenticator
(AP or switch)
RADIUS server
Institution A
Guest
Institution B
User
DB
Internet
piet@institution_b.nl
Employee
VLAN
RADIUS server
User
DB
Guest
VLAN
Student
VLAN
Central RADIUS
Proxy server
Authentication at home institution, 802.1X , TTLS (SecureW2), (proxy) RADIUS. One time
passwords are also transmitted via SMS to guest users.
6
EduRoam
European RADIUS
Proxy Server
National RADIUS
Proxy Server
Organisational
RADIUS Server
A
Organisational
RADIUS Server
B
European RADIUS
Proxy Server
National RADIUS
Proxy Server
Organisational
RADIUS Server
C
Organisational
RADIUS Server
D
7
EduRoam participants
8
EduRoam 2004-2006
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Expand EduRoam
Updated glossary
Improve the ‘EduRoam portal’ with links to all national
pages
Investigate applicability of EduRoam for roaming access to
services
Updated roaming requirements document
Updated policy and legal documents
A more robust trust fabric
– monitoring status and use
– Detecting and tracking abuse
Insight in the applicability/influence of new technologies
– RADIUS attribs, Diameter, DNSsec, (M)IPv6, PKI
– Other networks (dial-in, fixed,…)
Blueprint of possible authentication architectures
Evaluation of proposed architectures)
Requirements for roaming access to services
Requirements for roaming access to commercial networks
Roaming architecture
EduRoam-in-a-box
9
Next steps
.edu
10